SQL注入是一个非常危险的事情，它可能进入我们的管理界面，非法获取用户信息或重要资料，使我们蒙受损失，下面介绍一种在ASP中防范SQL注入攻击的方法：

<%On Error Resume NextDim strTemp

If LCase(Request.ServerVariables("HTTPS")) = "off" Then strTemp = "http://"Else strTemp = "https://"End If

strTemp = strTemp & Request.ServerVariables("SERVER_NAME")

If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT")strTemp = strTemp & Request.ServerVariables("URL")If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)strTemp = LCase(strTemp)

If Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp,"delete%20from") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,":") or Instr(strTemp,"net%20user") or Instr(strTemp,"'") or Instr(strTemp,"%20or%20") then Response.Write "<script language='Javascript'>" Response.Write "alert('地址中含有非法字符！！');" Response.Write "location.href='index.asp';" Response.Write "<script>"End If%>

这样，我们可以杜绝用户在地址中传递非法参数二达到SQL注入攻击的目的。

本文源自：翔宇亭IT乐园（http://），转载请保留此信息！